Introduction
The digital threat landscape is in a constant state of flux, with attackers perpetually seeking new avenues to compromise users and corporate environments. As a result, the Edge browser security team must remain vigilant, adapting to both emerging and evolving threats. The team recently received intelligence indicating that threat actors were abusing Internet Explorer (IE) mode within Edge to gain access to unsuspecting users’ devices. This blog post outlines the reactive changes made to IE mode in Edge and the reasoning behind them.
Internet Explorer Mode: Legacy Compatibility Meets Modern Security
While the majority of the web has transitioned to modern standards, there remains a small subset of sites that still depend on legacy technologies such as ActiveX and Flash. This is especially prevalent in business applications, older security camera interfaces, and some government portals, where updating underlying technology stacks is often slow or impractical. For this reason, Microsoft Edge offers Internet Explorer mode so that users can complete their tasks on pre-selected sites then return safely to Edge.
However, it is important to recognise that Internet Explorer was not designed with the robust architecture and defence-in-depth mitigations that we have come to expect from modern Chromium-based browsers such as Edge. This exposes users of such browsers to risks that contemporary products are explicitly engineered to mitigate.
The Exploit: Chakra and Entry Point Abuse
In August 2025, the Edge security team received credible intelligence that threat actors were leveraging basic social engineering techniques alongside unpatched (0-day) exploits in Internet Explorer’s JavaScript engine (Chakra) to gain access to victim devices. The attacker would first convince the victim to navigate to an official-looking spoofed website, then use a flyout on the page to request the user to reload the page in Internet Explorer mode. The attackers would then leverage a Chakra (IE’s JavaScript engine) exploit to gain remote code execution. Finally, the attackers would use a second exploit to elevate their privileges out of the browser to gain full control of the victim’s device.
This attack vector is particularly concerning because it bypasses many of the security enhancements present in Chromium by reverting to IE’s older execution environment. Successful exploitation could result in the installation of malware, lateral movement within corporate networks, or exfiltration of sensitive data.
Our Response: Restraining IE Mode Access
With clear evidence of active exploitation and users at risk, the Edge browser security team took decisive action to remove the highest-risk entry points for loading a page in IE Mode for consumer devices.
Changes for Consumer Devices
For consumer devices, the following changes were implemented:
- Starting with version 141.0.3517.0: Users will no longer see the option to reload in IE Mode in the hamburger/ellipsis menu (a.k.a. AppMenu).
- Starting with version 142.0.3553.0: Users will no longer see the option to add the toolbar button, and the toolbar button for IE Mode will be removed.
Enterprise Devices
Enterprise devices are determined by whether group policies for IE Mode are configured on the device. Technically, users can configure these group policies on their own machines to achieve the same managed device behavior.
No changes were made to the logic for enterprise users to enable IE mode through enterprise policies. Organizations that rely on IE Mode for legacy applications can continue to manage it through their existing policy configurations.
Alternative Access for Consumer Devices
For non-enterprise users with a genuine need for Internet Explorer compatibility, IE mode remains available, but must now be explicitly enabled on a site-by-site basis via Edge’s settings:
- Navigate to Settings > Default Browser.
- Locate the option labeled Allow sites to be reloaded in Internet Explorer mode and set it to Allow.
- After enabling this setting, add the specific site(s) requiring IE compatibility to the Internet Explorer mode pages list.
- Reload the site; it should now open in IE mode with the required compatibility.
This approach ensures that the decision to load web content using legacy technology is significantly more intentional. The additional steps required to add a site to a site list are a significant barrier for even the most determined attackers to overcome.
I Use IE Mode, What Should I Do?
Internet Explorer 11 officially reached its end of life on 15 June 2022 and is no longer officially supported by Microsoft beyond critical security updates due to its inclusion in Microsoft Edge. Microsoft strongly advises users to migrate away from legacy web technologies as soon as possible to benefit from enhanced security, greater reliability, and improved performance offered by modern browsers. To check whether you have Internet Explorer mode enabled on your device open Edge, navigate to Settings > Default Browser. Here you can ensure that it is enabled or disabled.
Conclusion
Microsoft Edge continues to evolve, balancing the need for legacy support with robust, modern security. By restricting casual access to IE mode, the Edge browser security team is reducing the risk of exploitation while providing a clear, auditable pathway for genuine business requirements.